Prototypes Define the default structure of a JavaScript object and the default values, so that applications do not crash when values ​​are not set.

An attacker who manages to modify a JavaScript object prototype can severely affect the way the data is processed by the rest of the application and open the door to more dangerous attacks, such as application crashes (denial of vulnerability errors) or hijacking of applications (code execution failures). ).

Pollution prototype, a growing threat to JavaScript

Prototypic contamination attacks are not new and were documented for the first time years ago. However, only now are they being thoroughly cataloged because JavaScript, as a language, has evolved from handling the basic interactions of the user interface to working with impressive amounts of confidential data as a server-side programming language: thanks to the Node.js project

Therefore, any prototype contamination attack can now have serious consequences in a web-dev world where almost everything revolves around JavaScript in one way or another, in desktop, mobile, browser or server applications.

During the past year, and especially after Olivier Arteau Presentation NorthSec 2018 on the prototypes of contamination attacks: security researchers have begun to look more closely at the JavaScript libraries they have been using and look for potential errors of prototype contamination.

These efforts have resulted in the discovery of multiple prototypes of contamination attacks in more and more JavaScript libraries, such as Mongoose, lodash.merge, node.extend, extend in depthY HAPI – Some of them are extremely popular for JavaScript server applications.

Prototype of contamination in jQuery.

This constant talk about prototypes of contamination attacks has also caught the attention of Snyk, a company that provides source code scanning technology, and whose researchers were interested in documenting this new attack vector; Liran Tal, a security researcher from Snyk, has said ZDNet In an interview earlier this week.

His analysis of prototypes of contamination attacks has resulted in the discovery of a similar flaw that affects jQuery, a JavaScript library so ubiquitous and rooted in the web development work that is used in 97 percent of all websites that They use at least one JavaScript library.

Saying that jQuery is popular among JavaScript developers is the equivalent of saying "water is wet," which means that any prototype contamination flaw discovered in this library automatically opens the door to attacks on hundreds of millions of websites. .

in a report published last week, Tal and the Snyk team described and published the proof of concept code for a prototype of pollution attack (CVE-2019-11358) impacting jQuery. To show how dangerous this vulnerability is, they showed how a prototype contamination flaw could allow attackers to assign administrator rights to a web application that uses the jQuery code for its interface.

It is not easy to exploit

But the good news is that prototypes of pollution attacks are not exploitable en masse, since each exploitation code must be adjusted for each objective, individually. The flaws of prototypes against contamination require that attackers have a deep understanding of how each website works with its prototypes of objects, and how these prototypes are a factor in the grand scheme of things.

In addition, some websites do not use jQuery for any heavy lifting operations, but simply to animate some menus and display some pop-up windows, here and there.

"Finding versions of the jQuery vulnerability for this vulnerability is not a difficult task, but automating a real exploitation for the custom code that makes use of the vulnerable jQuery API with respect to prototype contamination would be more difficult," Tal said. ZDNet.

In addition, applications and websites that are based on closed source code are also protected against some attacks, Tal told us.

"The exploitation of the closed source server-side source, which is not easy to access for research, requires a little research to find out how contamination of a global object could affect an application, if the prototype contamination is applicable at all. the cases, "said the researcher.

However, in cases where jQuery is used for more complex operations, such as the creation of complete interfaces or interaction with server-side systems, prototype contamination attacks can allow hackers to access systems considered safe: ideal error for targeted attacks against high-value websites

A huge attack surface.

Tal, who worked with the Node.js team to inform the bug to the jQuery team, recommends that web developers update their projects to the latest version of jQuery, v3.4.0.

Today, most websites still use the 1.x and 2.x branches of the jQuery library, which means that the vast majority of applications and jQuery-based websites are still open to attack.

Considering that there is a break in the syntax between the three major versions and that web developers would prefer to throw them acid instead of rewriting their frontends, most websites will continue to use previous versions in the immediate future.